New Zealand’s First SMS Blaster Attack Orchestrated from China with Help from Auckland Teen

By Craig Kapitan | Senior Multimedia Journalist · NZ Herald · 27 Jul, 2025 04:44 AM

Auckland teenager Chenwei Zhang, 20, was unknowingly involved in New Zealand’s first-ever “SMS blaster” smishing attack, a sophisticated form of cybercrime that mimics cell towers to send out fake bank texts. The device, which was hidden in the boot of Zhang’s car, was able to hijack nearby phones and send thousands of scam messages, claiming to be from ANZ and ASB banks and directing victims to illegal data collection websites.

In an interview with the NZ Herald, Zhang described how he was approached on WeChat by a stranger believed to be from China, who offered him $400 per day to drive around Auckland with a mysterious electronic device. Zhang, who was struggling financially at the time, accepted the offer without fully understanding the implications of his actions.

“The defendant asked where he would be driving,” authorities explained in the agreed summary of facts for Zhang’s case. “The UKP [unknown person] said anywhere with crowds of people.”

Zhang received a courier parcel with the device and was instructed on how to activate and install it in the boot of his car. The device was later detected by police in a raid on Zhang’s vehicle, and it was found that the signal had been active in multiple locations across Auckland, including Wellsford, the city centre, and Hamilton.

“It is insidious offending,” Judge Kirsten Lummis told Zhang during his sentencing hearing, emphasizing the potential impact of the scam on large numbers of people. While Zhang was initially charged with recklessly interfering with the New Zealand telecommunications network, the charge was later reduced to illegally accessing a computer system, a crime punishable by up to two years in prison.

Despite the lack of actual financial loss due to the effectiveness of two-factor authentication, Judge Lummis noted that Zhang’s actions were similar to those of a drug courier, who knows they are doing something illegal but does not fully understand the consequences. She also acknowledged Zhang’s guilty plea, his youth, and the low risk of reoffending.

As a result of his conviction, Zhang’s immigration status was compromised, and he was sentenced to 100 hours of community work. His student visa, which was set to expire in January, was also affected by the conviction.

“I understand you were driven to this offending because you were struggling financially and did not want to be reliant on your parents,” Judge Lummis said. “However, the aspect of deterrence is in the forefront of my mind during this sentencing exercise.”

The case highlights the growing threat of SMS blaster attacks and the need for greater awareness among the public. As Judge Lummis noted, these machines can be easily purchased online, and nearly everyone carries a mobile phone linked to personal data, making them a potential target for cybercriminals.

The incident has also raised concerns about the role of international actors in orchestrating such crimes and the ease with which individuals can be lured into participating in cybercrime without fully understanding the consequences.

As the first case of its kind in New Zealand, the Zhang incident serves as a warning to others who may be tempted by the lure of quick cash, even if it means unwittingly participating in a criminal enterprise.